Does Google Book privacy policy go far enough?
The main points:
- The Book Rights Registry receives only aggregate, non-personally identifiable information about your use of Google Books -- no individual information unless it goes through legal processes.
- Speaking of legal processes, Google says it will comply with state laws that set a high ("compelling need") standard for litigants to obtain book information. "We will also continue our strong history of fighting for high standards to protect users, regardless of whether a particular "books law" applies."
- Schools and libraries will be able to identify their users through institutional IP addresses. Likewise for public libraries.
- Finally, Google will hide specific purchases from your credit card statements and allow you to dissociate book purchases from your Web History.
So, how do these pledges stand up? To find out, I talked to Andrew McDiarmid, a policy analyst at the Center for Democracy and Technology. In July, CDT issued its privacy wish list (PDF) for Google Books. The privacy draft posted today is a "good first step," McDiarmid said, "but it doesn't go as far as we would like."
On the positive side, CDT likes Google's promise to only share aggregate information with the Registry, that libraries can authenticate their own users, and users' ability to disasssociate purchases from web history.
But what is still troubling, he said, is that Google hasn't promised to not comingle the Books data with web search and other data Google collects on users, nor promised not to use book data as part of their behavioral advertising campaigns.
"On balance, we remain supportive of the settlement," McDiarmid said, but CDT will be filing an amicus brief next week, asking the judge to apply greater privacy restrictions as part of approving the deal.